In response to an increase in consumer identity theft the Fair and Accurate Credit Transaction Act (FACTA) went into law on Dec. 4, 2003.  On Oct. 31, 2007, the FTC, along with 5 federal banking regulators, took the next step and published a final set of Red Flag regulations into effect.  These regulations required all financial institutions and creditors develop and implement written red flag identity theft programs no later than Nov. 1, 2008.  However, on Oct. 22, 2008, the FTC announced that it would delay the enforcement of the Red Flag rules by six months, to May 1, 2009. This delay by the FTC does not effect the compliance deadline for the finacial institution sector that comes under the 5 federal banking regulators.

Purpose of the Red Flag Rule is to detect and stop identity thieves using someone else's identifying information at your institution to commit fraud.

Definitions:

From the FCRA, a "financial institution" is:

• A state or national bank
• A state or federal savings and loan association
• A mutual savings bank
• A state or federal credit union, or
• Any other person that directly or indirectly holds a transaction account belonging to a consumer.

From ECOA, a "creditor" is:

• Any person who regularly extends, renews, or continues credit
• Any person who regularly arranges for the extension, renewal, or continuation of credit, or
• Any assignee of an original creditor who participates in the decision to extend, renew, or continue credit

Program Requirements:

1. Must implement a written Identity Theft Prevention Program to detect, prevent, and mitigate identity theft in connection with:
   • the opening of a covered account, or
   • any existing account
2. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of activities.
3. Must include reasonable policies and procedures to:
   • Identify relevant red flags and incorporate them into the Program
   • Detect red flags that are part of the Program
   • Respond appropriately to any red flags that are detected
   • Ensure the Program is updated periodically to address changing risks
4. Obtain approval of the initial Program by the board or a committee of senior staff
5. Train employees
6. Review all service provider arrangements and assure they have Programs in place

The Identity Theft Prevention Program must be risk-based.  It must be able to detect any red flags that occur, respond to them appropriately and ensure that the red flags themselves are updated periodically to reflect changes in identity theft risks to customers, creditors and any service providers or vendors.

The 5 Categories of Red Flags

1. Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services.
2. The presentation of suspicious documents.
3. The presentation of suspicious personal identifying information, such as a suspicious address change.
4. The unusual use of, or other suspicious activity related to, a covered account.
5. Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible Identity Theft in connection with covered accounts.

 Red Flag Rule Penalties for Non-Compliance

Federal:    $2,500 per individual incident (customer/transaction)

State:        $1,000 per individual incident (customer/transaction, plus attorney fees)

After regulatory warning:  $11,000 per individual incident.


Links

Full Text of Red Flag Rule:

www.ftc.gov/os/2007/10/r611019redflagsfrn.pdf 

FTC Red Flag Enforcement Policy:

www.ftc.gov/opa/2008/10/redflags.shtm 

FTC Red Flags Site:

www.ftc.gov/redflagsrule

FTC Delays Enforcement till August 1, 2009

www.ftc.gov/opa/2009/04/redflagsrule.shtm


We have available a state of the art online solution for the creation of your Identity Theft Prevention Program and Training Module.  

Please contact us for more information on our product offering.